This is a place for me to ruminate about Privacy. Since I work as Google's Global Privacy Counsel, I need to point out that these ruminations are mine, not Google's. Please don't attribute them to Google.

Saturday, March 31, 2007

Binding Corporate Rules: Data Protection for the Rich

Yes, the rich are different. They can afford to spend millions in fees and years in regulatory process, all in the hope that their “binding corporate rules” will be approved by 27 different EU regulators, all applying slightly different rules. Whether all this money results in better privacy is dubious. I have never believed that regulatory paperwork by itself improves privacy practices. Indeed, every euro from a privacy professional’s budget that is spent on such paperwork is not being spent on other things, like employee privacy trainings, or improving privacy systems. Even the rich have budgets.

The concept of “binding corporate rules” is rather weird: a company makes a promise to itself, or rather its various affiliates make a promise to their parent company, or the other way around. And the promise is essentially to respect the law. In other words, to respect EU data protection concepts governing the transfer of personal data outside of the EU to countries that are not deemed to have “adequate” data protection. In case you’re wondering, Bulgaria and Romania have “adequate” data protection, but the USA does not... I’ll come back to that in another blog post. In essence, “binding corporate rules” are a solution to an artificial problem: the legal presumption that any data transfer outside of Europe will not have “adequate” privacy protection unless it fits into some sort of exception, like “binding corporate rules” or the Safe Harbor Agreement.

The reason that “binding corporate rules” are so expensive, and so well-loved by the legions of outside counsel who help their clients try to complete them, is because they require a company to document its data handling processes to the satisfaction of every data protection regulator in every jurisdiction in which it operates in Europe. A recent effort to streamline the process adopted the concept of “lead regulator” – a concept well known in many other regulatory fields in EU law – but still retained the legal obligation to obtain approval from all the other regulators. You can read the recommendation of the WP29 from January 10, 2007 here: http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp133_en.docSince all these independent regulators are free to have a different opinion than the lead regulator, it’s hard to see how complicated companies with complicated data processing practices are ever going to obtain the unanimity required to have their “binding corporate rules” approved. And in fact, almost none have. GE famously obtained approval of its “binding corporate rules” after spending tons of time and money, but only for its human resources data. And GE and its regulators spent considerable effort publicizing this “success” across Europe. Considering that human resources data is only a small part of the data handling operations of any corporation, I can only wonder at the modesty of the achievement, at least in the real world of privacy protection. Since GE is one of the most sophisticated companies on the planet, what does that portend for the rest of us? Realistically, most companies that enter the process of “binding corporate rules” are going to be stuck in a sort of regulatory limbo, for years, and perhaps permanently. And in the unlikely event that any company obtains such approval, what would it mean in an era when companies are constantly changing their data processing practices?

The business world knows a flop when it sees one. Unless you're so rich, you don't care.